Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis logfile


  • Please log in to reply
25 replies to this topic

#1 Torgar

Torgar

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 25 June 2005 - 11:15 PM

Hey there, I seriously hope someone can help me because my normal Adware and whatnot programs aren't permenantely deleting these few files that constantly come back. But anyway, here's my logfile :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 11:08:00 PM, on 6/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
c:\windows\system32\tirwobq.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Adam Ellison\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [jbkgksq] c:\windows\system32\ocnhwg.exe r
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9996.dll' missing
O16 - DPF: WebControlDeploy - https://grouper.com/v1/GrouperSetup.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...lls/install.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...312/mcfscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/controls/chat/msnchat45.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} (download_35mb_com.applet) - http://static.35mb.com/applet/applet_o.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\mlndex.dll
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\System32\MsPMSPSv.exe (file missing)


Thanks for any assistance :flowers:

BC AdBot (Login to Remove)

 


m

#2 H@ns

H@ns

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 26 June 2005 - 02:05 AM

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?sho...050515010747824
Unzip it to the desktop but please do NOT run it yet.

The above Registry file written by miekiemoes, Swandog and racooper was written specifically for this infection and is not to be used on any other infection as it could damage a person's PC

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the log from the scan to your Desktop. IMPORTANT! Lately more people choose “Ignore” during the scan, but you’ll have to click/choose “Clean” or “Quarantine”! Otherwise the whole fix will result in a failure.

Then please run HijackThis, click Scan, and check (if there):

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode, make a new HijackThis log and post it here, as well as the log from the Ewido scan.

#3 Torgar

Torgar
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 26 June 2005 - 08:12 AM

Thanks a lot, did everything word for word and here's my updated logs.

Logfile of HijackThis v1.99.1
Scan saved at 8:07:50 AM, on 6/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\system32\sqtbuj.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Adam Ellison\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [tjgeizj] c:\windows\system32\sqtbuj.exe r
O4 - HKLM\..\Run: [jbkgksq] c:\windows\system32\ocnhwg.exe r
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9996.dll' missing
O16 - DPF: WebControlDeploy - https://grouper.com/v1/GrouperSetup.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...lls/install.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...312/mcfscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/controls/chat/msnchat45.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} (download_35mb_com.applet) - http://static.35mb.com/applet/applet_o.cab
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\plcrt.dll
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\mlndex.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\System32\MsPMSPSv.exe (file missing)

And....

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:03:07 AM, 6/26/2005
+ Report-Checksum: 918958BF

+ Date of database: 6/26/2005
+ Version of scan engine: v3.0

+ Duration: 87 min
+ Scanned Files: 58610
+ Speed: 11.19 Files/Second
+ Infected files: 107
+ Removed files: 107
+ Files put in quarantine: 107
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Adam Ellison\Application Data\euto.exe -> Spyware.PurityScan.v -> Cleaned with backup
C:\Documents and Settings\Adam Ellison\Cookies\adam ellison@hb.lycos[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Adam Ellison\Local Settings\Temp\Cookies\adam ellison@a.websponsors[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Adam Ellison\Local Settings\Temp\Cookies\adam ellison@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Adam Ellison\Local Settings\Temp\Cookies\adam ellison@ads.addynamix[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Adam Ellison\Local Settings\Temp\Cookies\adam ellison@bilbo.counted[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Adam Ellison\Local Settings\Temp\Cookies\adam ellison@bluestreak[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Adam Ellison\Local Settings\Temp\Cookies\adam ellison@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Adam Ellison\Local Settings\Temp\Cookies\adam ellison@hotlog[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Adam Ellison\Local Settings\Temp\Cookies\adam ellison@rb4.worldsex[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Adam Ellison\Local Settings\Temp\Cookies\adam ellison@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Adam Ellison\Local Settings\Temp\Cookies\adam ellison@servedby.netshelter[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Adam Ellison\Local Settings\Temp\Cookies\adam ellison@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Adam Ellison\Local Settings\Temp\Cookies\adam ellison@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Adam Ellison\Local Settings\Temp\Cookies\adam ellison@zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Adam Ellison\Local Settings\Temp\DrTemp\abiuninst.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Adam Ellison\Local Settings\Temp\ICD1.tmp\PopCapLoader.dll -> Not-A-Virus.PornWare.PopCap.b -> Cleaned with backup
C:\Documents and Settings\Adam Ellison\Local Settings\Temp\ssbdqvq.exe -> TrojanDownloader.IstBar.ij -> Cleaned with backup
C:\Documents and Settings\Adam Ellison\Local Settings\Temp\VR5hKO05.exe -> Spyware.WinFetcher.b -> Cleaned with backup
C:\Documents and Settings\Adam Ellison\Local Settings\Temp\weowk.exe -> TrojanDownloader.IstBar.ij -> Cleaned with backup
C:\Documents and Settings\Adam Ellison\Local Settings\Temporary Internet Files\Content.IE5\63M7ADAJ\AppWrap[1].exe -> TrojanDropper.Agent.kd -> Cleaned with backup
C:\Documents and Settings\Adam Ellison\Local Settings\Temporary Internet Files\Content.IE5\63M7ADAJ\AppWrap[3].exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\Documents and Settings\Adam Ellison\Local Settings\Temporary Internet Files\Content.IE5\63M7ADAJ\AppWrap[4].exe -> TrojanDownloader.Agent.qg -> Cleaned with backup
C:\Documents and Settings\Adam Ellison\Local Settings\Temporary Internet Files\Content.IE5\810JGNW7\AppWrap[1].exe -> TrojanDownloader.Wintool.e -> Cleaned with backup
C:\Documents and Settings\All Users.WINDOWS\Application Data\SecTaskMan\lbbho.dll.q_2CFE000_q -> Spyware.Neon.a -> Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug.a -> Cleaned with backup
C:\Program Files\CasStub\casstub.exe -> TrojanDownloader.Agent.qg -> Cleaned with backup
C:\Program Files\ddd.exe -> TrojanDropper.Agent.hh -> Cleaned with backup
C:\Program Files\Internet Explorer\frykfuuv.exe -> TrojanDownloader.WinShow.ac -> Cleaned with backup
C:\Program Files\Internet Explorer\xxobbvnh.exe -> TrojanDownloader.WinShow.ac -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP953\A0355925.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP953\A0355926.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP953\A0355927.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP953\A0355977.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP953\snapshot\MFEX-1.DAT -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP954\A0355997.dll -> Spyware.Small.ez -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP954\A0356000.exe -> Spyware.WebSearch -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP954\A0356003.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP954\A0356006.exe -> TrojanDownloader.Wintool.e -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP954\A0356012.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP954\A0356021.dll -> Spyware.Look2Me -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP954\A0356039.dll -> Spyware.ImiBar.d -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP954\A0356040.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP954\A0356041.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP954\A0356043.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP954\A0356047.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP954\A0356049.dll -> Spyware.Look2Me -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP954\A0356051.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP954\A0356052.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP954\A0356053.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP955\A0356058.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP955\A0356059.exe -> Spyware.Look2Me -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP955\A0356063.dll -> Spyware.ImiBar.d -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP955\A0356064.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP955\A0356065.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP955\A0356066.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP955\A0356070.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP955\A0356089.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP955\A0356120.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP955\A0357066.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP955\A0357083.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP955\A0357103.dll -> Spyware.BookedSpace.e -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP955\A0357109.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP955\A0357116.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP955\A0357119.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP955\A0357120.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP955\A0357122.exe -> TrojanDownloader.Apropo.ac -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP955\A0357123.exe -> TrojanDownloader.Agent.ed -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP955\A0357131.exe -> Spyware.BookedSpace.e -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP955\A0357132.dll -> Spyware.BookedSpace.e -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP955\A0357135.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP956\A0357140.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP956\A0357151.exe -> TrojanDownloader.Agent.qg -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP956\A0357159.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP956\A0357160.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP956\A0357177.dll -> TrojanDownloader.Qoologic.p -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP956\A0357178.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP956\A0357179.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP956\A0357184.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP956\A0357185.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{908E31A6-76BF-41B5-B563-43AFD9DD6CE2}\RP956\A0357186.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\temp\EDowPack.exe -> TrojanDownloader.Wintool.e -> Cleaned with backup
C:\temp\NCasePackage.exe -> Spyware.180solutions -> Cleaned with backup
C:\temp\optimize.exe -> TrojanDownloader.Dyfuca.dx -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\frykfuuv.exe -> TrojanDownloader.WinShow.ac -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\WUInst.dll -> Spyware.SaveNow.ab -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\xxobbvnh.exe -> TrojanDownloader.WinShow.ac -> Cleaned with backup
C:\WINDOWS\iexplore.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\NDNuninstall4_85.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINDOWS\NDNuninstall6_22.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINDOWS\SYSTEM32\Agent.dll -> Spyware.Saha -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ahxmzjl.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\SYSTEM32\AUNPS2.dll -> Spyware.Small.ez -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ezStubi.dll -> Spyware.EZula.a -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ihrop.dll -> Spyware.Look2Me -> Cleaned with backup
C:\WINDOWS\SYSTEM32\installer_im.dll -> TrojanDownloader.Delf.j -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ivign32.dll -> Spyware.Look2Me -> Cleaned with backup
C:\WINDOWS\SYSTEM32\jQvart.dll -> Spyware.Look2Me -> Cleaned with backup
C:\WINDOWS\SYSTEM32\netpals.dll -> TrojanDownloader.BHO -> Cleaned with backup
C:\WINDOWS\SYSTEM32\NLNP13.dll -> Spyware.Igetnet -> Cleaned with backup
C:\WINDOWS\SYSTEM32\NLNP131.dll -> Spyware.Igetnet -> Cleaned with backup
C:\WINDOWS\SYSTEM32\SHAgentNew.dll -> Spyware.Sahat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\WgGP2u.exe -> Spyware.WinFetcher.b -> Cleaned with backup
C:\WINDOWS\SYSTEM32\Xcite.dll -> Spyware.MyWay.b -> Cleaned with backup
C:\WINDOWS\SYSTEM32\Xcite.exe -> Spyware.MyWay.b -> Cleaned with backup
C:\WINDOWS\xgghprqxr.exe -> Spyware.BetterInternet -> Cleaned with backup


::Report End

I hope this all turns out well in the end :thumbsup:
I will say though that on start-up Ewido promptly came up and detected the stupid ABI (ABetterInternet) program running again :flowers: I'm not sure how that thing is like a phoenix and rises from it's death but it is. :trumpet:

#4 Torgar

Torgar
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 30 June 2005 - 11:33 PM

Hi, in aobut 30 minutes it will be 5 days to the dot :thumbsup:

I know this only got lost in the mass of other needy people so I'm just bumping this with an updated HijackThis logfile.

Thanks again!

Logfile of HijackThis v1.99.1
Scan saved at 11:31:31 PM, on 6/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\hpjjlm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
c:\windows\system32\bfnisqb.exe
c:\windows\system32\sprsdgx.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Adam Ellison\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [tjgeizj] c:\windows\system32\sqtbuj.exe r
O4 - HKLM\..\Run: [jbkgksq] c:\windows\system32\ocnhwg.exe r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dyhmrh] c:\windows\system32\bfnisqb.exe r
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\hpjjlm.exe reg_run
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [iphpsh] C:\WINDOWS\system32\iphpsh.exe
O4 - HKCU\..\RunOnce: [iphpsh] C:\WINDOWS\system32\iphpsh.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9996.dll' missing
O16 - DPF: WebControlDeploy - https://grouper.com/v1/GrouperSetup.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...lls/install.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...312/mcfscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/controls/chat/msnchat45.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} (download_35mb_com.applet) - http://static.35mb.com/applet/applet_o.cab
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\plcrt.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\System32\MsPMSPSv.exe (file missing)

#5 H@ns

H@ns

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 01 July 2005 - 01:00 AM

You have VX2 on your computer. Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

#6 Torgar

Torgar
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 01 July 2005 - 01:42 AM

Woo, prompt :thumbsup:

Thanks man, here you are.

Edit: Oh, and I had HijackThis "fix" these....6 files...
O4 - HKLM\..\Run: [tjgeizj] c:\windows\system32\sqtbuj.exe r
O4 - HKLM\..\Run: [jbkgksq] c:\windows\system32\ocnhwg.exe r
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\hpjjlm.exe reg_run
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKCU\..\Run: [iphpsh] C:\WINDOWS\system32\iphpsh.exe
O4 - HKCU\..\RunOnce: [iphpsh] C:\WINDOWS\system32\iphpsh.exe


Anyway, on to the log!

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\plcrt.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{AEF084D1-71DA-7D17-7350-6684EB66576B}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{8F05B1A8-9D77-4B8F-AF54-6B2202066F95}"="Pop-Up Stopper &Companion"
"{EB47FF00-225E-11D2-9E1D-00A0C9AB0EEE}"="eLicense Control"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{1E2CDF40-419B-11D2-A5A1-002018648BA7}"="AVG Shell Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}"="aý Context Menu Shell Extension"
"{6EF42881-D128-4CB2-8ACD-E1D201419DA8}"=""
"{51D961F7-8E88-4434-8AA4-0C11A0CA850E}"=""
"{D11F859D-9328-4275-A949-5D53587F4919}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6EF42881-D128-4CB2-8ACD-E1D201419DA8}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6EF42881-D128-4CB2-8ACD-E1D201419DA8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6EF42881-D128-4CB2-8ACD-E1D201419DA8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6EF42881-D128-4CB2-8ACD-E1D201419DA8}\InprocServer32]
@="C:\\WINDOWS\\system32\\wedap32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{51D961F7-8E88-4434-8AA4-0C11A0CA850E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{51D961F7-8E88-4434-8AA4-0C11A0CA850E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{51D961F7-8E88-4434-8AA4-0C11A0CA850E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{51D961F7-8E88-4434-8AA4-0C11A0CA850E}\InprocServer32]
@="C:\\WINDOWS\\system32\\zwib.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D11F859D-9328-4275-A949-5D53587F4919}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D11F859D-9328-4275-A949-5D53587F4919}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D11F859D-9328-4275-A949-5D53587F4919}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D11F859D-9328-4275-A949-5D53587F4919}\InprocServer32]
@="C:\\WINDOWS\\system32\\oebcjt32.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Mon May 2 2005 3:52:34p A.... 1,019,904 996.00 K
cdfview.dll Mon May 2 2005 3:52:34p A.... 151,040 147.50 K
cdm.dll Thu May 26 2005 4:16:24a A.... 75,544 73.77 K
e6f1873b.dll Fri Jul 1 2005 1:37:32a A.... 147,456 144.00 K
hhsetup.dll Thu May 26 2005 9:04:28p A.... 41,472 40.50 K
iepeers.dll Mon May 2 2005 3:52:34p A.... 250,880 245.00 K
inseng.dll Mon May 2 2005 3:52:34p A.... 96,256 94.00 K
islzma.dll Thu May 19 2005 2:06:22p A.... 102,912 100.50 K
iswwg.dll Sat Jun 25 2005 9:33:20p A.... 9,728 9.50 K
itircl.dll Thu May 26 2005 9:04:28p A.... 155,136 151.50 K
itss.dll Thu May 26 2005 9:04:28p A.... 137,216 134.00 K
iuengine.dll Thu May 26 2005 4:16:24a A.... 198,424 193.77 K
kldycc.dll Mon Jun 27 2005 5:35:44a ..S.R 417,792 408.00 K
mgl_hp.dll Fri Jun 24 2005 10:45:38p ..S.R 417,792 408.00 K
mshtml.dll Mon May 2 2005 3:52:36p A.... 3,012,608 2.87 M
mshtmled.dll Mon May 2 2005 3:52:36p A.... 448,512 438.00 K
msi.dll Wed May 4 2005 2:45:32p A.... 2,890,240 2.75 M
msrating.dll Mon May 2 2005 3:52:36p A.... 146,432 143.00 K
nippyup.dll Sat Jun 25 2005 9:33:20p A.... 27,648 27.00 K
nv4_disp.dll Wed Jun 15 2005 5:20:00p A.... 3,896,320 3.71 M
nvcod.dll Wed Jun 15 2005 5:20:00p A.... 32,768 32.00 K
nvcodins.dll Wed Jun 15 2005 5:20:00p A.... 32,768 32.00 K
nvcpl.dll Wed Jun 15 2005 5:20:00p A.... 6,803,456 6.49 M
nvhwvid.dll Wed Jun 15 2005 5:20:00p A.... 540,672 528.00 K
nview.dll Wed Jun 15 2005 5:20:00p A.... 1,462,272 1.39 M
nvmctray.dll Wed Jun 15 2005 5:20:00p A.... 86,016 84.00 K
nvnt4cpl.dll Wed Jun 15 2005 5:20:00p A.... 286,720 280.00 K
nvoglnt.dll Wed Jun 15 2005 5:20:00p A.... 5,136,384 4.90 M
nvshell.dll Wed Jun 15 2005 5:20:00p A.... 466,944 456.00 K
nvwddi.dll Wed Jun 15 2005 5:20:00p A.... 81,920 80.00 K
nvwdmcpl.dll Wed Jun 15 2005 5:20:00p A.... 1,662,976 1.59 M
nvwimg.dll Wed Jun 15 2005 5:20:00p A.... 1,019,904 996.00 K
oebcjt32.dll Thu Jun 30 2005 11:43:22p ..S.R 417,792 408.00 K
plcrt.dll Sat Jun 25 2005 11:05:28p ..S.R 417,792 408.00 K
pncrt.dll Sat Apr 30 2005 7:49:10a A.... 278,528 272.00 K
pndx5016.dll Sat Apr 30 2005 7:49:12a A.... 6,656 6.50 K
pndx5032.dll Sat Apr 30 2005 7:49:12a A.... 5,632 5.50 K
pngfilt.dll Mon May 2 2005 3:52:36p A.... 39,424 38.50 K
pudrv.dll Mon Jun 27 2005 9:45:46a ..... 417,792 408.00 K
rmoc3260.dll Sat Apr 30 2005 7:49:20a A.... 176,167 172.04 K
shdocvw.dll Mon May 2 2005 3:52:36p A.... 1,483,776 1.41 M
shlwapi.dll Mon May 2 2005 3:52:36p A.... 473,600 462.50 K
slimgvw.dll Sun Jun 26 2005 6:33:34a ..S.R 417,792 408.00 K
stlb2.dll Fri Jul 1 2005 1:37:32a A.... 229,376 224.00 K
urlmon.dll Mon May 2 2005 3:52:36p A.... 607,744 593.50 K
wedap32.dll Mon Jun 27 2005 9:47:24a ..S.R 417,792 408.00 K
wininet.dll Mon May 2 2005 3:52:36p A.... 657,920 642.50 K
wuapi.dll Thu May 26 2005 4:16:30a A.... 465,176 454.27 K
wuaueng.dll Thu May 26 2005 4:16:30a A.... 1,343,768 1.28 M
wuaueng1.dll Thu May 26 2005 4:16:30a A.... 194,328 189.77 K
wucltui.dll Thu May 26 2005 4:16:30a A.... 127,256 124.27 K
wups.dll Thu May 26 2005 4:16:30a A.... 41,240 40.27 K
wups2.dll Thu May 26 2005 4:16:30a A.... 18,200 17.77 K
wuweb.dll Thu May 26 2005 4:16:30a A.... 173,536 169.47 K
xpsp3res.dll Mon May 16 2005 7:25:36p ..... 15,360 15.00 K
zwib.dll Fri Jul 1 2005 1:11:56a ..S.R 417,792 408.00 K

56 items found: 56 files (7 H/S), 0 directories.
Total of file sizes: 40,100,551 bytes 38.24 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Sat Jun 25 2005 4:21:54a ..S.R 417,792 408.00 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 417,792 bytes 408.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is E087-0B8C

Directory of C:\WINDOWS\System32

07/01/2005 01:11 AM 417,792 zwib.dll
06/30/2005 11:43 PM 417,792 oebcjt32.dll
06/30/2005 11:12 PM <DIR> dllcache
06/27/2005 09:47 AM 417,792 wedap32.dll
06/27/2005 05:35 AM 417,792 kldycc.dll
06/26/2005 06:33 AM 417,792 slimgvw.dll
06/25/2005 11:05 PM 417,792 plcrt.dll
06/25/2005 04:21 AM 417,792 guard.tmp
06/24/2005 10:45 PM 417,792 mgl_hp.dll
05/23/2005 06:40 PM 761 mmf.sys
02/22/2005 11:02 PM 475 fhnyz.dll
12/31/2003 11:59 PM 1,104 SzepW5ln.cvb
07/30/2003 01:45 PM 769 mmf(2)(2).sys
07/29/2003 08:26 AM 769 mmf(3)(2).sys
07/28/2003 11:15 AM 769 mmf(4)(2).sys
07/28/2003 11:10 AM 769 mmf(5)(2).sys
07/24/2003 12:28 AM 769 mmf(6)(2).sys
07/22/2003 03:30 PM 769 mmf(7)(2).sys
07/22/2003 03:13 PM 769 mmf(8)(2).sys
07/21/2003 08:26 PM 769 mmf(9)(2).sys
07/20/2003 07:27 PM 769 mmf(10)(2).sys
07/20/2003 01:40 PM 769 mmf(11)(2).sys
07/19/2003 04:47 PM 769 mmf(12)(2).sys
07/18/2003 08:57 AM 761 mmf(13)(2).sys
07/18/2003 08:55 AM 761 mmf(14)(2).sys
07/17/2003 08:38 PM 761 mmf(15)(2).sys
07/17/2003 06:41 PM 761 mmf(16)(2).sys
07/17/2003 01:37 PM 761 mmf(17)(2).sys
07/16/2003 01:24 PM 761 mmf(18)(2).sys
07/15/2003 12:14 AM 761 mmf(19)(2).sys
07/14/2003 01:17 AM 761 mmf(20)(2).sys
07/12/2003 09:50 PM 761 mmf(21)(2).sys
07/12/2003 08:54 PM 761 mmf(22)(2).sys
07/11/2003 03:58 PM 761 mmf(23)(2).sys
07/11/2003 10:24 AM 761 mmf(24)(2).sys
07/11/2003 09:31 AM 761 mmf(25)(2).sys
07/08/2003 12:32 PM 761 mmf(26)(2).sys
07/08/2003 12:44 AM 761 mmf(27)(2).sys
07/06/2003 09:12 PM 761 mmf(28)(2).sys
07/05/2003 04:37 PM 761 mmf(29)(2).sys
07/05/2003 02:12 PM 761 mmf(30)(2).sys
07/04/2003 06:46 AM 761 mmf(31)(2).sys
07/01/2003 04:43 PM 761 mmf(32)(2).sys
07/01/2003 04:07 PM 761 mmf(33)(2).sys
06/30/2003 04:49 PM 761 mmf(34)(2).sys
06/27/2003 12:13 PM 761 mmf(35)(2).sys
06/26/2003 03:23 AM 761 mmf(36)(2).sys
06/25/2003 11:21 AM 761 mmf(37)(2).sys
06/25/2003 01:17 AM 761 mmf(38)(2).sys
01/01/2003 02:20 AM <DIR> Microsoft
12/30/2002 03:34 PM 1,703,936 gdiplus.dll
09/20/2002 03:00 AM 181,296 SCSIACC.EXE
50 File(s) 5,258,153 bytes
2 Dir(s) 2,948,366,336 bytes free

Edited by Torgar, 01 July 2005 - 01:44 AM.


#7 H@ns

H@ns

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 01 July 2005 - 11:14 AM

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

#8 Torgar

Torgar
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 01 July 2005 - 11:31 AM

Okay, here you go :thumbsup:

The l2 log....

L2Mfix 1.03

Running From:
C:\DOCUME~1\ADAMEL~1\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Adam Ellison\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Adam Ellison\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1376 'explorer.exe'
Killing PID 1376 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1556 'rundll32.exe'
Killing PID 1644 'rundll32.exe'
Killing PID 1676 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\cnseqchk.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cnseqchk.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kldycc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kldycc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mgl_hp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mgl_hp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oebcjt32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oebcjt32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\plcrt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\plcrt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pudrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pudrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\slimgvw.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\slimgvw.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wedap32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wedap32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\zwib.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\zwib.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\cnseqchk.dll
Successfully Deleted: C:\WINDOWS\system32\cnseqchk.dll
deleting: C:\WINDOWS\system32\cnseqchk.dll
Successfully Deleted: C:\WINDOWS\system32\cnseqchk.dll
deleting: C:\WINDOWS\system32\kldycc.dll
Successfully Deleted: C:\WINDOWS\system32\kldycc.dll
deleting: C:\WINDOWS\system32\kldycc.dll
Successfully Deleted: C:\WINDOWS\system32\kldycc.dll
deleting: C:\WINDOWS\system32\mgl_hp.dll
Successfully Deleted: C:\WINDOWS\system32\mgl_hp.dll
deleting: C:\WINDOWS\system32\mgl_hp.dll
Successfully Deleted: C:\WINDOWS\system32\mgl_hp.dll
deleting: C:\WINDOWS\system32\oebcjt32.dll
Successfully Deleted: C:\WINDOWS\system32\oebcjt32.dll
deleting: C:\WINDOWS\system32\oebcjt32.dll
Successfully Deleted: C:\WINDOWS\system32\oebcjt32.dll
deleting: C:\WINDOWS\system32\plcrt.dll
Successfully Deleted: C:\WINDOWS\system32\plcrt.dll
deleting: C:\WINDOWS\system32\plcrt.dll
Successfully Deleted: C:\WINDOWS\system32\plcrt.dll
deleting: C:\WINDOWS\system32\pudrv.dll
Successfully Deleted: C:\WINDOWS\system32\pudrv.dll
deleting: C:\WINDOWS\system32\pudrv.dll
Successfully Deleted: C:\WINDOWS\system32\pudrv.dll
deleting: C:\WINDOWS\system32\slimgvw.dll
Successfully Deleted: C:\WINDOWS\system32\slimgvw.dll
deleting: C:\WINDOWS\system32\slimgvw.dll
Successfully Deleted: C:\WINDOWS\system32\slimgvw.dll
deleting: C:\WINDOWS\system32\wedap32.dll
Successfully Deleted: C:\WINDOWS\system32\wedap32.dll
deleting: C:\WINDOWS\system32\wedap32.dll
Successfully Deleted: C:\WINDOWS\system32\wedap32.dll
deleting: C:\WINDOWS\system32\zwib.dll
Successfully Deleted: C:\WINDOWS\system32\zwib.dll
deleting: C:\WINDOWS\system32\zwib.dll
Successfully Deleted: C:\WINDOWS\system32\zwib.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Desktop.ini sucessfully removed


Zipping up files for submission:
adding: cnseqchk.dll (164 bytes security) (deflated 48%)
adding: kldycc.dll (164 bytes security) (deflated 48%)
adding: mgl_hp.dll (164 bytes security) (deflated 48%)
adding: oebcjt32.dll (164 bytes security) (deflated 48%)
adding: plcrt.dll (164 bytes security) (deflated 48%)
adding: pudrv.dll (164 bytes security) (deflated 48%)
adding: slimgvw.dll (164 bytes security) (deflated 48%)
adding: wedap32.dll (164 bytes security) (deflated 48%)
adding: zwib.dll (164 bytes security) (deflated 48%)
adding: guard.tmp (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 46%)
adding: echo.reg (164 bytes security) (deflated 10%)
adding: desktop.ini (164 bytes security) (stored 0%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 84%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 68%)
adding: test.txt (164 bytes security) (deflated 86%)
adding: test2.txt (164 bytes security) (deflated 27%)
adding: test3.txt (164 bytes security) (deflated 27%)
adding: test5.txt (164 bytes security) (deflated 27%)
adding: xfind.txt (164 bytes security) (deflated 82%)
adding: backregs/51D961F7-8E88-4434-8AA4-0C11A0CA850E.reg (164 bytes security) (deflated 70%)
adding: backregs/6EF42881-D128-4CB2-8ACD-E1D201419DA8.reg (164 bytes security) (deflated 70%)
adding: backregs/D11F859D-9328-4275-A949-5D53587F4919.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: cnseqchk.dll
deleting local copy: cnseqchk.dll
deleting local copy: kldycc.dll
deleting local copy: kldycc.dll
deleting local copy: mgl_hp.dll
deleting local copy: mgl_hp.dll
deleting local copy: oebcjt32.dll
deleting local copy: oebcjt32.dll
deleting local copy: plcrt.dll
deleting local copy: plcrt.dll
deleting local copy: pudrv.dll
deleting local copy: pudrv.dll
deleting local copy: slimgvw.dll
deleting local copy: slimgvw.dll
deleting local copy: wedap32.dll
deleting local copy: wedap32.dll
deleting local copy: zwib.dll
deleting local copy: zwib.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\cnseqchk.dll
C:\WINDOWS\system32\cnseqchk.dll
C:\WINDOWS\system32\kldycc.dll
C:\WINDOWS\system32\kldycc.dll
C:\WINDOWS\system32\mgl_hp.dll
C:\WINDOWS\system32\mgl_hp.dll
C:\WINDOWS\system32\oebcjt32.dll
C:\WINDOWS\system32\oebcjt32.dll
C:\WINDOWS\system32\plcrt.dll
C:\WINDOWS\system32\plcrt.dll
C:\WINDOWS\system32\pudrv.dll
C:\WINDOWS\system32\pudrv.dll
C:\WINDOWS\system32\slimgvw.dll
C:\WINDOWS\system32\slimgvw.dll
C:\WINDOWS\system32\wedap32.dll
C:\WINDOWS\system32\wedap32.dll
C:\WINDOWS\system32\zwib.dll
C:\WINDOWS\system32\zwib.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{6EF42881-D128-4CB2-8ACD-E1D201419DA8}"=-
"{51D961F7-8E88-4434-8AA4-0C11A0CA850E}"=-
"{D11F859D-9328-4275-A949-5D53587F4919}"=-
[-HKEY_CLASSES_ROOT\CLSID\{6EF42881-D128-4CB2-8ACD-E1D201419DA8}]
[-HKEY_CLASSES_ROOT\CLSID\{51D961F7-8E88-4434-8AA4-0C11A0CA850E}]
[-HKEY_CLASSES_ROOT\CLSID\{D11F859D-9328-4275-A949-5D53587F4919}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************




And the HijackThis log.....
Logfile of HijackThis v1.99.1
Scan saved at 11:28:32 AM, on 7/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hpjjlm.exe
C:\Program Files\Ares\Ares.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Adam Ellison\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tjgeizj] c:\windows\system32\sqtbuj.exe r
O4 - HKLM\..\Run: [jbkgksq] c:\windows\system32\ocnhwg.exe r
O4 - HKLM\..\Run: [dyhmrh] c:\windows\system32\bfnisqb.exe r
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\hpjjlm.exe reg_run
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [iphpsh] C:\WINDOWS\system32\iphpsh.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9996.dll' missing
O16 - DPF: WebControlDeploy -
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...lls/install.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...312/mcfscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/controls/chat/msnchat45.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} (download_35mb_com.applet) - http://static.35mb.com/applet/applet_o.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\System32\MsPMSPSv.exe (file missing)


Thanks! :flowers:

#9 H@ns

H@ns

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 01 July 2005 - 11:41 AM

If running Windows XP Pro: run this tool http://homepage.ntlworld.com/spencer.greys.../XPProfiles.exe

If running Windows XP Home: run this tool http://homepage.ntlworld.com/spencer.greys...XPHomeFiles.exe

(Running the tool is just extracting the files to the already specified location and closing the tool)

Reboot.

Download the FindQoologic-Narrator.zip and save it to your Desktop.
http://forums.net-integration.net/index.ph...=post&id=134981

The above files written by O_E were written specifically for this infection and is not to be used on any other infection as it could damage a person's PC

1. Extract (unzip) the files inside into their own folder called FindQoologic.
2. Open the FindQoologic folder.
3. Locate and double-click the Find-Qoologic2.bat to run it.

* The tool will open a DOS window and begin to check your system.
When it is finished a text file will open in Notepad called "file.txt".
* Save this text file in the FindQoologic folder.
* Close the DOS box If on win 98 or me.

4. Open the file you saved and copy / paste its content to this thread (as a reply).

#10 Torgar

Torgar
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 01 July 2005 - 12:21 PM

:thumbsup: Here you are!

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* aspack C:\WINDOWS\System32\WKAAG.DAT
* aspack C:\WINDOWS\System32\DMNNXON.EXE
* aspack C:\WINDOWS\System32\HPJJLM.EXE
* aspack C:\WINDOWS\System32\MRT.EXE
* UPX! C:\WINDOWS\System32\CTBV2.DLL
* aspack C:\WINDOWS\NAIL.EXE
* UPX! C:\WINDOWS\DAEMON.DLL
* UPX! C:\WINDOWS\USCSCSI.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
.
..
desktop.ini
rikk.exe

User Startup:
C:\Documents and Settings\Adam Ellison\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG Shell Extension
<NO NAME> REG_SZ {1E2CDF40-419B-11D2-A5A1-002018648BA7}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
<NO NAME> REG_SZ {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mxnnsqnx
<NO NAME> REG_SZ {b24493dd-a6a5-49e0-a658-59b9a2026e1d}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
<NO NAME> REG_SZ {B41DB860-8EE4-11D2-9906-E49FADC173CA}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin



:flowers:

#11 Torgar

Torgar
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 01 July 2005 - 03:12 PM

Just bumping before it gets lost for another 5 days :thumbsup:

#12 Torgar

Torgar
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 01 July 2005 - 10:47 PM

:thumbsup:

Page 6 :flowers:

#13 Torgar

Torgar
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 05 July 2005 - 02:45 AM

Keep getting lost among the masses :thumbsup:

#14 Torgar

Torgar
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 11 July 2005 - 08:59 PM

Keep getting lost among the masses :thumbsup:

:flowers:

#15 Torgar

Torgar
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 29 July 2005 - 09:27 AM

Keep getting lost among the masses  :thumbsup:

:flowers:

:trumpet:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users